title: Exfiltration Over Other Network Medium (T1011)
id: df00tech-t1011
status: experimental
description: "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network monitoring infrastructure. This technique is commonly associated with insider threat scenarios and advanced adversaries who have achieved a foothold and seek to bypass perimeter DLP controls that monitor only the primary wired egress channel."
references:
  - https://attack.mitre.org/techniques/T1011/
  - https://df00tech.com/detections/T1011
author: df00tech
date: 2026/04/13
tags:
  - attack.t1011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running netsh wlan commands to diagnose wireless connectivity issues or manage corporate wireless profiles
  - Help desk staff using netsh wlan show commands for network troubleshooting on user endpoints
  - "MDM/EMM agents (Microsoft Intune, SCCM/MECM) deploying or updating wireless configuration profiles via PowerShell"
  - "End users legitimately transferring personal files to Bluetooth peripherals (headphones, phones) via fsquirt.exe"
  - Network assessment or inventory tools querying wireless adapter status and available SSIDs
level: high